hi,guys
I just setup a openldap server via compile command as following.
./configure --prefix=/opt/openldap
--enable-overlays=mod
--enalbe-dynamic=yes
--enable-modules=yes
--enable-ppolicy=yes
slapd.conf as below
include /opt/openldap/etc/openldap/schema/core.schema
include /opt/openldap/etc/openldap/schema/cosine.schema
include /opt/openldap/etc/openldap/schema/inetorgperson.schema
include /opt/openldap/etc/openldap/schema/nis.schema
include /opt/openldap/etc/openldap/schema/openldap.schema
include /opt/openldap/etc/openldap/schema/ppolicy.schema
pidfile /opt/openldap/var/run/slapd.pid
argsfile /opt/openldap/var/run/slapd.args
access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=abc,dc=com"
by * none
access to *
by self write
by dn.base="cn=Manager,dc=abc,dc=com"
by * read
by * none
database bdb
suffix "dc=abc,dc=com"
rootdn "cn=Manager,dc=abc,dc=com"
rootpw 12345678
directory /opt/openldap/var/openldap-data
index cn,sn,uid pres,eq,approx,sub
index objectClass eq
loglevel -1
my question is user can't change his own password. I use following command
so I have different result.
when not add -x
is there error in my config file about acl. I have set pwdRest is true.
I need help. thks
On 03/31/15 17:47 +0800, rockwang wrote:
access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=abc,dc=com" by * none
access to * by self write by dn.base="cn=Manager,dc=abc,dc=com" by * read by * none
my question is user can't change his own password. I use following command so I have different result.
<img />
when not add -x
<img />
Consult the manpage for ldappasswd. In the first case (simple bind) you did not provide a binddn (-D). In the second case, you directed ldappasswd to perform a SASL bind but did not correctly provide an authentication identity, and the sasl mechanism negotiated could not derive one.
Hint: if using a simple bind, specify a full DN (with -D), and not a uid.
hi, Dan thanks for u answer. I still a little confused about it. I run the following command /opt/openldap/bin/ldappasswd -x -D "uid=bobliu,ou=it,dc=abc,dc=com" -W -S New password: Re-enter new password: Enter LDAP Password: Result: Insufficient access (50)
when I run ldapsearch is ok.
/opt/openldap/bin/ldapsearch -x -D "uid=bobliu,ou=it,dc=abc,dc=com" -W
# bobliu, it, abc.com dn: uid=bobliu,ou=it,dc=abc,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: bobliu sn: fei givenName: bobliu cn: bobliu displayName: bobliu uidNumber: 10010 gidNumber: 10010 loginShell: /bin/bash homeDirectory: /home/bobliu mail: bobliu@abc.com userPassword:: e3NzaGF9c1RLZW5oL2kxdmlocGw1NG55dUQybHA4ZldSM3o5RzIwdGZwSnc9PQ= =
any advice. thanks
On 04/02/2015 01:40 AM, Dan White wrote:
On 03/31/15 17:47 +0800, rockwang wrote:
access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=abc,dc=com" by * none
access to * by self write by dn.base="cn=Manager,dc=abc,dc=com" by * read by * none
my question is user can't change his own password. I use following command so I have different result.
<img /> > when not add -x <img />
Consult the manpage for ldappasswd. In the first case (simple bind) you did not provide a binddn (-D). In the second case, you directed ldappasswd to perform a SASL bind but did not correctly provide an authentication identity, and the sasl mechanism negotiated could not derive one.
Hint: if using a simple bind, specify a full DN (with -D), and not a uid.
I found log in ldap.log file
Apr 12 14:20:54 abc slapd[3136]: => access_allowed: auth access to "uid=bobliu,ou=it,dc=abc,dc=com" "userPassword" requested Apr 12 14:20:54 abc slapd[3136]: => slap_access_allowed: backend default auth access granted to "(anonymous)" Apr 12 14:20:54 abc slapd[3136]: => access_allowed: auth access granted by read(=rscxd) Apr 12 14:20:54 abc slapd[3136]: => access_allowed: backend default write access denied to "uid=bobliu,ou=it,dc=abc,dc=com"
why access granted to anoymous not bobliu.
On 04/12/2015 10:05 PM, feora wrote:
hi, Dan thanks for u answer. I still a little confused about it. I run the following command /opt/openldap/bin/ldappasswd -x -D "uid=bobliu,ou=it,dc=abc,dc=com" -W -S New password: Re-enter new password: Enter LDAP Password: Result: Insufficient access (50)
when I run ldapsearch is ok./opt/openldap/bin/ldapsearch -x -D "uid=bobliu,ou=it,dc=abc,dc=com" -W
# bobliu, it, abc.com dn: uid=bobliu,ou=it,dc=abc,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: bobliu sn: fei givenName: bobliu cn: bobliu displayName: bobliu uidNumber: 10010 gidNumber: 10010 loginShell: /bin/bash homeDirectory: /home/bobliu mail: bobliu@abc.com userPassword:: e3NzaGF9c1RLZW5oL2kxdmlocGw1NG55dUQybHA4ZldSM3o5RzIwdGZwSnc9PQ= =
any advice. thanks
On 04/02/2015 01:40 AM, Dan White wrote:
On 03/31/15 17:47 +0800, rockwang wrote:
access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=abc,dc=com" by * none
access to * by self write by dn.base="cn=Manager,dc=abc,dc=com" by * read by * none
my question is user can't change his own password. I use following command so I have different result.
<img /> > when not add -x <img />
Consult the manpage for ldappasswd. In the first case (simple bind) you did not provide a binddn (-D). In the second case, you directed ldappasswd to perform a SASL bind but did not correctly provide an authentication identity, and the sasl mechanism negotiated could not derive one.
Hint: if using a simple bind, specify a full DN (with -D), and not a uid.
On 04/12/15 22:56 +0800, feora wrote:
I found log in ldap.log file
Apr 12 14:20:54 abc slapd[3136]: => access_allowed: auth access to "uid=bobliu,ou=it,dc=abc,dc=com" "userPassword" requested Apr 12 14:20:54 abc slapd[3136]: => slap_access_allowed: backend default auth access granted to "(anonymous)" Apr 12 14:20:54 abc slapd[3136]: => access_allowed: auth access granted by read(=rscxd) Apr 12 14:20:54 abc slapd[3136]: => access_allowed: backend default write access denied to "uid=bobliu,ou=it,dc=abc,dc=com"
why access granted to anoymous not bobliu.
On 04/12/2015 10:05 PM, feora wrote:
hi, Dan thanks for u answer. I still a little confused about it. I run the following command /opt/openldap/bin/ldappasswd -x -D "uid=bobliu,ou=it,dc=abc,dc=com" -W -S New password: Re-enter new password: Enter LDAP Password: Result: Insufficient access (50)
when I run ldapsearch is ok.
userPassword:: <removed>
Be aware that your ssha password hash is know publicly known.
The above would indicate that you *are* successfully authenticating, since the userPassword attribute was returned. That's assuming that your ACL config below is accurate.
On 04/02/2015 01:40 AM, Dan White wrote:
On 03/31/15 17:47 +0800, rockwang wrote:
access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=abc,dc=com" by * none
This config block has been through the wringer, but verify user userPassword ACL config. Something's up. Run slaptest on your config to verify and verify it's formatted properly.
access to * by self write by dn.base="cn=Manager,dc=abc,dc=com" by * read by * none
--On Sunday, April 12, 2015 11:56 PM +0800 feora studyfordo@163.com wrote:
I found log in ldap.log file
Apr 12 14:20:54 abc slapd[3136]: => access_allowed: auth access to "uid=bobliu,ou=it,dc=abc,dc=com" "userPassword" requested Apr 12 14:20:54 abc slapd[3136]: => slap_access_allowed: backend default auth access granted to "(anonymous)" Apr 12 14:20:54 abc slapd[3136]: => access_allowed: auth access granted by read(=rscxd) Apr 12 14:20:54 abc slapd[3136]: => access_allowed: backend default write access denied to "uid=bobliu,ou=it,dc=abc,dc=com"
why access granted to anoymous not bobliu.
anonymous is granted AUTH access (for bind) The USER is granted READ Access The USER is DENIED write access
So you have an ACL that blocks WRITE access to the attribute for the USER.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Dan White -
feora -
Quanah Gibson-Mount -
rockwang